AWS Certified Solutions Architect - Associate

Explanation

Correct Answer: B - Configure a VPC peering connection between VPC A and VPC B.

Why this is the MOST secure solution:

1. Private Network Communication: VPC peering establishes a direct network connection between VPCs using private IP addresses, keeping all traffic within the AWS network and not traversing the public internet.

2. Security Group Control: With VPC peering, you can use security groups to control access at the instance level, allowing only specific traffic between the EC2 instance in VPC A and the database in VPC B.

3. No Public Exposure: The database remains private and not exposed to the internet, significantly reducing the attack surface.

4. Cost-Effective: No data transfer charges between peered VPCs in the same region.

Why other options are less secure:

A. Create a DB instance security group that allows all traffic from the public IP address of the application server in VPC A.

• Traffic still goes over the public internet
• Public IP addresses can change
• Less secure than private network communication

C. Make the DB instance publicly accessible. Assign a public IP address to the DB instance.

• Least secure option - exposes the database directly to the internet
• Vulnerable to attacks from anywhere
• Violates security best practices

D. Launch an EC2 instance with an Elastic IP address into VPC B. Proxy all requests through the new EC2 instance.

• Adds unnecessary complexity
• Creates additional attack surface with the proxy instance
• Traffic still goes through public internet
• Higher operational overhead

Best Practice: VPC peering is the recommended AWS solution for secure, private communication between VPCs within the same account and region. It provides the highest level of security while maintaining simplicity and performance.